Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-q3cc-rr2c-87r6

Опубликовано: 13 мая 2022
Источник: github
Github: Прошло ревью
CVSS3: 8.8

Описание

Hex authenticity of signed packages not validated

Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.4.0.

Ссылки

Пакеты

Наименование

hex_core

Затронутые версииВерсия исправления

< 0.4.0

0.4.0

EPSS

Процентиль: 46%
0.00233
Низкий

8.8 High

CVSS3

CVE ID

CVE-2019-1000013

Дефекты

CWE-345

Связанные уязвимости

nvd логотип

CVE-2019-1000013

CVSS3: 8.8
nvd
около 7 лет назад

Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in Package modifications not detected, allowing code execution. This attack appears to be exploitable via victim fetches packages from malicious/compromised mirror. This vulnerability appears to have been fixed in 0.4.0.

EPSS

Процентиль: 46%
0.00233
Низкий

8.8 High

CVSS3

CVE ID

CVE-2019-1000013

Дефекты

CWE-345